Improving Web Application Security: Threats and - CGISecurity

How To: Use URLScan 803Throttling Request Sizes with URLScanYou can use URLScan as another line of defense against denial of service attackseven before requests reach ASP.NET. You do this by setting limits on theMaxAllowedContentLength, MaxUrl and MaxQueryString attributes.To throttle the request sizes, add the following configuration to URLScan.ini:[RequestLimits]; The entries in this section impose limits on the length; of allowed parts of requests reaching the server.;MaxAllowedContentLength=2000000000;MaxUrl=16384;MaxQueryString=4096Debugging VS .NET with URLScan InstalledBy default, URLScan does not allow the DEBUG verb. Therefore, when you useVS.NET to debug a Web application on a server where URLScan is installed, you maysee the following error:Microsoft Development Environment:Error while trying to run project: Unable to start debugging on the web server.Could not start ASP.NET or ATL Server debugging.Verify that ASP.NET or ATL Server is correctly installed on the server. Would youlike to disable future attempts to debug ASP.NET pages for this project? Yes NoHelpYour URLScan log file will also contain an entry similar to the following:[01-18-2003 - 22:25:26] Client at 127.0.0.1: Sent verb 'DEBUG', which is notspecifically allowed. Request will be rejected.To support debugging, add DEBUG to the AllowVerbs section in URLScan.ini asshown below:[AllowVerbs]GETHEADPOSTDEBUGNote You need to restart IIS for changes to take effect.